crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
Description
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The crewjam/saml Go library prior to v0.4.13 is vulnerable to DoS via an unconstrained Deflate decompression bomb.
Vulnerability
The crewjam/saml library, a Go implementation of the SAML standard, contains a denial of service vulnerability due to the use of flate.NewReader without limiting the size of decompressed data [1][2]. An attacker can provide a compressed SAML request larger than 1 MB, which the server decompresses without restriction, consuming excessive memory and CPU resources.
Exploitation
This vulnerability can be exploited remotely without authentication. An attacker sends a SAML request containing a crafted, highly compressed payload. When the server decompresses it using the Deflate algorithm, the decompressed data can exceed available memory, leading to process termination by the operating system [3][4]. Repeating such requests reliably crashes the service.
Impact
Successful exploitation results in a denial of service, rendering the SAML service unavailable. No confidentiality or integrity impact is described.
Mitigation
The issue is patched in version 0.4.13, which introduces a limit on decompressed data size (10 MB) [3]. Users should update to the latest version.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/crewjam/samlGo | < 0.4.13 | 0.4.13 |
Affected products
1Patches
18e9236867d17Merge pull request from GHSA-5mqj-xc49-246p
4 files changed · +61 −3
flate.go+31 −0 added@@ -0,0 +1,31 @@ +package saml + +import ( + "compress/flate" + "fmt" + "io" +) + +const flateUncompressLimit = 10 * 1024 * 1024 // 10MB + +func newSaferFlateReader(r io.Reader) io.ReadCloser { + return &saferFlateReader{r: flate.NewReader(r)} +} + +type saferFlateReader struct { + r io.ReadCloser + count int +} + +func (r *saferFlateReader) Read(p []byte) (n int, err error) { + if r.count+len(p) > flateUncompressLimit { + return 0, fmt.Errorf("flate: uncompress limit exceeded (%d bytes)", flateUncompressLimit) + } + n, err = r.r.Read(p) + r.count += n + return n, err +} + +func (r *saferFlateReader) Close() error { + return r.r.Close() +}
identity_provider.go+1 −2 modified@@ -2,7 +2,6 @@ package saml import ( "bytes" - "compress/flate" "crypto" "crypto/tls" "crypto/x509" @@ -363,7 +362,7 @@ func NewIdpAuthnRequest(idp *IdentityProvider, r *http.Request) (*IdpAuthnReques if err != nil { return nil, fmt.Errorf("cannot decode request: %s", err) } - req.RequestBuffer, err = ioutil.ReadAll(flate.NewReader(bytes.NewReader(compressedRequest))) + req.RequestBuffer, err = ioutil.ReadAll(newSaferFlateReader(bytes.NewReader(compressedRequest))) if err != nil { return nil, fmt.Errorf("cannot decompress request: %s", err) }
identity_provider_test.go+28 −0 modified@@ -1,6 +1,8 @@ package saml import ( + "bytes" + "compress/flate" "crypto" "crypto/rsa" "crypto/x509" @@ -1013,3 +1015,29 @@ func TestIDPNoDestination(t *testing.T) { err = req.MakeResponse() assert.Check(t, err) } + +func TestIDPRejectDecompressionBomb(t *testing.T) { + test := NewIdentifyProviderTest(t) + test.IDP.SessionProvider = &mockSessionProvider{ + GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session { + fmt.Fprintf(w, "RelayState: %s\nSAMLRequest: %s", + req.RelayState, req.RequestBuffer) + return nil + }, + } + + //w := httptest.NewRecorder() + + data := bytes.Repeat([]byte("a"), 768*1024*1024) + var compressed bytes.Buffer + w, _ := flate.NewWriter(&compressed, flate.BestCompression) + w.Write(data) + w.Close() + encoded := base64.StdEncoding.EncodeToString(compressed.Bytes()) + + r, _ := http.NewRequest("GET", "/dontcare?"+url.Values{ + "SAMLRequest": {encoded}, + }.Encode(), nil) + _, err := NewIdpAuthnRequest(&test.IDP, r) + assert.Error(t, err, "cannot decompress request: flate: uncompress limit exceeded (10485760 bytes)") +}
service_provider.go+1 −1 modified@@ -1524,7 +1524,7 @@ func (sp *ServiceProvider) ValidateLogoutResponseRedirect(queryParameterData str } retErr.Response = string(rawResponseBuf) - gr, err := ioutil.ReadAll(flate.NewReader(bytes.NewBuffer(rawResponseBuf))) + gr, err := ioutil.ReadAll(newSaferFlateReader(bytes.NewBuffer(rawResponseBuf))) if err != nil { retErr.PrivateErr = err return retErr
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5mqj-xc49-246pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28119ghsaADVISORY
- github.com/crewjam/saml/commit/8e9236867d176ad6338c870a84e2039aef8a5021ghsax_refsource_MISCWEB
- github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246pghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.